<!DOCTYPE html>
<html lang="en-us">
  <head>
    
<meta charset="UTF-8">
<title>Binary Executed from Shared Memory Directory | Elastic Security Solution [master] | Elastic</title>
<meta class="elastic" name="content" content="Binary Executed from Shared Memory Directory | Elastic Security Solution [master]">

<link rel="home" href="index.html" title="Elastic Security Solution [master]"/>
<link rel="up" href="prebuilt-rules.html" title="Prebuilt rule reference"/>
<link rel="prev" href="bash-shell-profile-modification.html" title="Bash Shell Profile Modification"/>
<link rel="next" href="bypass-uac-via-event-viewer.html" title="Bypass UAC via Event Viewer"/>
<meta class="elastic" name="product_version" content="master"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/master"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="master"/>

    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
    <meta name="yandex-verification" content="d8a47e95d0972434" />
    <meta name="localized" content="true" />
    <meta name="st:robots" content="follow,index" />
    <meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
    <meta property="og:image:width" content="500" />
    <meta property="og:image:height" content="172" />
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css" />
  </head>

  <!--© 2015-2022 Elasticsearch B.V. -->
  <!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
  <!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!-- Google Tag Manager for GA4 -->
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <!-- End Google Tag Manager for GA4-->

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type='text/javascript'>
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id='ZN_emkP0oSe9Qrn7kF'><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id='elastic-nav' style="display:none;"></div>
    <script src='https://www.elastic.co/elastic-nav.js'></script>

    <div class="main-container">
      <section id="content" >
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container-fluid">
              <div class="row pb-3">
                <div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
                  <!-- The TOC is appended here -->
                </div>

                <div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
                  <!-- start body -->
                  <div class="page_header">
You are looking at preliminary documentation for a future release.
Not what you want? See the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [master]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detection-engine-overview.html">Detections and alerts</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="prebuilt-rules.html">Prebuilt rule reference</a></span>
</div>
<div class="navheader">
<span class="prev">
<a href="bash-shell-profile-modification.html">« Bash Shell Profile Modification</a>
</span>
<span class="next">
<a href="bypass-uac-via-event-viewer.html">Bypass UAC via Event Viewer »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title"><a id="binary-executed-from-shared-memory-directory"></a>Binary Executed from Shared Memory Directory<a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/main/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc">edit</a></h2>
</div></div></div>
<p>Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.</p>
<p><span class="strong strong"><strong>Rule type</strong></span>: eql</p>
<p><span class="strong strong"><strong>Rule indices</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
logs-endpoint.events.*
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Severity</strong></span>: high</p>
<p><span class="strong strong"><strong>Risk score</strong></span>: 73</p>
<p><span class="strong strong"><strong>Runs every</strong></span>: 5 minutes</p>
<p><span class="strong strong"><strong>Searches indices from</strong></span>: now-9m (<a href="/guide/en/elasticsearch/reference/master/common-options.html#date-math" class="ulink" target="_top">Date Math format</a>, see also <a class="xref" href="rules-ui-create.html#rule-schedule" title="Set the rule&#8217;s schedule"><code class="literal">Additional look-back time</code></a>)</p>
<p><span class="strong strong"><strong>Maximum alerts per execution</strong></span>: 100</p>
<p><span class="strong strong"><strong>References</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a href="https://linuxsecurity.com/features/fileless-malware-on-linux" class="ulink" target="_top">https://linuxsecurity.com/features/fileless-malware-on-linux</a>
</li>
<li class="listitem">
<a href="https://twitter.com/GossiTheDog/status/1522964028284411907" class="ulink" target="_top">https://twitter.com/GossiTheDog/status/1522964028284411907</a>
</li>
<li class="listitem">
<a href="/security-labs/a-peek-behind-the-bpfdoor" class="ulink" target="_top">https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor</a>
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Tags</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Elastic
</li>
<li class="listitem">
Host
</li>
<li class="listitem">
Linux
</li>
<li class="listitem">
Threat Detection
</li>
<li class="listitem">
Execution
</li>
<li class="listitem">
BPFDoor
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Version</strong></span>: 101 (<a class="xref" href="binary-executed-from-shared-memory-directory.html#binary-executed-from-shared-memory-directory-history" title="Rule version history">version history</a>)</p>
<p><span class="strong strong"><strong>Added (Elastic Stack release)</strong></span>: 8.3.0</p>
<p><span class="strong strong"><strong>Last modified (Elastic Stack release)</strong></span>: 8.6.0</p>
<p><span class="strong strong"><strong>Rule authors</strong></span>: Elastic</p>
<p><span class="strong strong"><strong>Rule license</strong></span>: Elastic License v2</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_potential_false_positives_115"></a>Potential false positives<a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/main/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc">edit</a></h3>
</div></div></div>
<p>Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_rule_query_144"></a>Rule query<a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/main/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc">edit</a></h3>
</div></div></div>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">process where event.type == "start" and event.action == "exec" and
user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" ) and not process.executable : (
"/var/run/docker/*")</pre>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_threat_mapping_143"></a>Threat mapping<a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/main/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc">edit</a></h3>
</div></div></div>
<p><span class="strong strong"><strong>Framework</strong></span>: MITRE ATT&amp;CK<sup>TM</sup></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Tactic:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Execution
</li>
<li class="listitem">
ID: TA0002
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/tactics/TA0002/" class="ulink" target="_top">https://attack.mitre.org/tactics/TA0002/</a>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Technique:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Name: Command and Scripting Interpreter
</li>
<li class="listitem">
ID: T1059
</li>
<li class="listitem">
Reference URL: <a href="https://attack.mitre.org/techniques/T1059/" class="ulink" target="_top">https://attack.mitre.org/techniques/T1059/</a>
</li>
</ul>
</div>
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="binary-executed-from-shared-memory-directory-history"></a>Rule version history<a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/main/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc">edit</a></h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
Version 101 (8.6.0 release)
</span>
</dt>
<dd>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Formatting only
</li>
</ul>
</div>
</dd>
<dt>
<span class="term">
Version 100 (8.5.0 release)
</span>
</dt>
<dd>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Updated query, changed from:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">process where event.type == "start" and event.action == "exec"
and user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" ) and not process.executable : (
"/var/run/docker/*")</pre>
</div>
</li>
</ul>
</div>
</dd>
<dt>
<span class="term">
Version 3 (8.4.0 release)
</span>
</dt>
<dd>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Updated query, changed from:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">process where event.type == "start" and event.action == "exec"
and user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" )</pre>
</div>
</li>
</ul>
</div>
</dd>
</dl>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="bash-shell-profile-modification.html">« Bash Shell Profile Modification</a>
</span>
<span class="next">
<a href="bypass-uac-via-event-viewer.html">Bypass UAC via Event Viewer »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>

                <div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
                  <div id="sticky_content">
                    <!-- The OTP is appended here -->
                    <div class="row">
                      <div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
                      <div class="col-12 col-md-8 col-lg-12">
                        <div id="rtpcontainer">
                          <div class="mktg-promo" id="most-popular">
                            <p class="aside-heading">Most Popular</p>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&elektra=docs&storm=top-video">
                                <p class="mb-0">Get Started with Elasticsearch</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&elektra=docs&storm=top-video">
                                <p class="mb-0">Intro to Kibana</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&elektra=docs&storm=top-video">
                                <p class="mb-0">ELK for Logs & Metrics</p>
                              </a>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
